8.8.4. Requirements for external OpenID providers

<< Prev Next >>

If it is necessary to use external (in relation to the 1C:Enterprise application) OpenID providers that are supposed to be used to authenticate users of the 1C:Enterprise infobases, the following should be considered:

The OpenID provider must support the OpenID Authentication 2.0 protocol specifications and the extension of this protocol implemented in the 1C:Enterprise platform.
To be able to use the 1C:Enterprise with thin client, the OpenID provider must use a cookie named vrs_oid2op_auth.
When receiving a request with an Accept HTTP header that prohibits the use of HTML content in the response, the OpenID provider should not use redirection with HTML forms (section 5.2.2 of the OpenID Authentication 2.0 protocol specification).
When returning the openid.claimed_id and openid.identity parameters to the 1C:Enterprise infobases, the OpenID provider should set the values of these parameters in the <address of the OpenID provider>?lid = <user login> format. For example, https://myserver.org/users-ib/e1cib/oid2op?lid=user1.

It may also be helpful to consider the following:

When 1C:Enterprise infobase accesses OpenID provider, it always passes the https://specs.openid.net/auth/2.0/identifier_select value in the openid.claimed_id and openid.identity request parameters.
1C:Enterprise infobase does not use a shared secret key (Diffie-Hellman’s algorithm) to authenticate the provider's messages. Authentication is performed using a direct request to the OpenID provider, in accordance with the requirements of section 11.4.2 of the OpenID Authentication 2.0 protocol specification.